To be fair, the certificates are self-signed and don't match the DN but I am assuming that "starttls=yes" forces TLS and the consumers cannot default to plaintext. Right? If yes, does this mean that in syncrepl, tls use is hardcoded to verify certificates and fall back to non-verified TLS session if verification fails? Or, is this configurable meaning can I enforce verification (preferable in production)?

Thanks,

- Siddhartha

To get clients to use unverified certs, you can add a line to your /etc/ldap/ldap.conf

TLS_REQCERTallow

This tells the client to ignore certificate errors and use TLS without question. Was this what you were looking for? I don't know much else about your other questions, sorry.